I am reading this article on security and it mentions something about passing data through the address bar.

If I had
UPDATE $table SET ReadCount = ReadCount + 1 WHERE MessageID = $MID;
I could pass this through the address bar
mypage.php?table=admin SET Password = 'foo';#

I noticed that I have this in my own script

$query="UPDATE rpg_character
SET
move_v = '$move_v',
move_h ='$move_h'
WHERE characterid='".$rpg['characterid']."'";
mysql_query($query);
So I wanted to test it but it doesn't work.
rpg_index.php?move_v='60' WHERE characterid = '1'; #

Here's the article http://www.hudzilla.org/phpbook/read.php/17_1_1

I am guessing that browsers recognize the "#" character.

it would only work if a variable of the same name existed, was used in a query string, and was not previously cleansed.

In a nutshell, it CAN happen - but its rare and really only through irresponsible coding or a complete oversight.

BTW: It couldnt happen the way you are trying to do it anyway. Why exactly are you posting this anyway? This is 'hacking' fodder which kind of concerns me.

I don't plan on hacking anyone's site, I just wanted more insight about sql injection to protect myself.

Here is a little information on protecting yourself from injections with vb however it looks a bit dated (globalize isnt used as such anymore)

https://vborg.vbsupport.ru/showthread.php?t=80217&highlight=injection

HTHs

Thank you.

This is offtopic
I have four button "up, down, right, left"
When a button is pressed it adds or substracts from the value and re-inserts into the database.

if (isset($_POST['up']))
{
$move_v = $rpg['move_v'] + 10;
}
elseif (isset($_POST['down']))
{
$move_v = $rpg['move_v'] - 10;
}
else
{
$move_v = $rpg['move_v'];
}
//code for left and right buttons here ($move_h)

$query = "UPDATE rpg_character
SET
move_v = '$move_v',
move_h ='$move_h'
WHERE characterid='".$rpg['characterid']."'";
mysql_query($query);
What I'm doing is using the php image function and on that script I'm getting the vertical ($move_h) and the horizontal ($move_h) positions.
It'll place and image according to those coordinates.

So my question is if I have a lot of people playing at the same time will it bog down the server?

Well it for sure could get wrong results (there is a little time between calculating and submitting the query). I suggest somehting like the following:

$move = array();
if (isset($_POST['up']))
{
$move[] = "move_v = move_v + 10";
}
elseif (isset($_POST['down']))
{
$move[] = "move_v = move_v - 10";
}

if ($move)
{
$move_sql = implode(", ", $move);
$query = "UPDATE rpg_character
SET
$move_sql
WHERE characterid='".$rpg['characterid']."'";
mysql_query($query);
}

Just typed it here, so not tested and probably made a typo somewhere, but you get the idea.

You can add the code to add to the $move array for horizontal yourself.

I did the mktime on my script using my way and your way and they're both pretty much the same.

For my way I get "0.00130414962769" seconds
For your way I get "0.00123000144958" seconds
I'll use your way since it looks more complex.

I have anoher offtopic question

How can I pass a variable to a script without loading the script I'm sending it to?
Instead of doing this...
<form action='somescript.php' method='post>
Then on somescript.php I would use $_POST['var']
But I would like to send $_POST['var'] to somescript.php with the browser redirecting to somescript.php?
I know it sounds weird but I may have an use for it.